https://github.com/angelbarrera92/dockerhub-mutator
Kubernetes mutator to change any container image to be downloaded from google mirror instead of downloading directly from Docker Hub
https://github.com/angelbarrera92/dockerhub-mutator
cert-manager cncf docker dockerhub google-mirror kubernetes mutator webhook youwillnevercodealone
Last synced: about 2 months ago
JSON representation
Kubernetes mutator to change any container image to be downloaded from google mirror instead of downloading directly from Docker Hub
- Host: GitHub
- URL: https://github.com/angelbarrera92/dockerhub-mutator
- Owner: angelbarrera92
- Created: 2020-11-03T18:16:11.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2020-11-14T12:24:27.000Z (over 5 years ago)
- Last Synced: 2025-06-18T16:48:33.949Z (about 1 year ago)
- Topics: cert-manager, cncf, docker, dockerhub, google-mirror, kubernetes, mutator, webhook, youwillnevercodealone
- Language: Python
- Homepage:
- Size: 10.7 KB
- Stars: 3
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Docker Hub Mutator
> Original idea from the #YouWillNeverCodeAlone group.
Kubernetes mutator to change any container image to be downloaded from google mirror instead of downloading directly from Docker Hub.
It should avoid the [new rate limit Docker inc is setting up in its Hub](https://docs.docker.com/docker-hub/download-rate-limit/).
## Disclaimer
Project current state: **POC**.
It has some pending points to be implemented before consider it a beta software.
- [ ] Deployed in the default namespace *(hardcoded)*
- [ ] Helm Chart
- [ ] Logging
- [ ] Metrics
## Run it in your cluster
### Requirements
An already working Kubernetes cluster with [cert-manager](https://github.com/jetstack/cert-manager) installed.
### Deploy
The container image with the mutator is available at the GitHub Container Registry: `ghcr.io/angelbarrera92/dockerhub-mutator:latest`.
```bash
$ docker pull ghcr.io/angelbarrera92/dockerhub-mutator:latest
```
Available for the following architectures:
- `linux/amd64`
- `linux/arm/v6`
- `linux/arm/v7`
- `linux/arm64`
Deploy the solution using the following commands:
```bash
$ kubectl apply -f https://raw.githubusercontent.com/angelbarrera92/dockerhub-mutator/master/hack/deploy.yaml
issuer.cert-manager.io/mutator-root created
certificate.cert-manager.io/mutator-root-ca created
issuer.cert-manager.io/mutator-root-ca created
certificate.cert-manager.io/dockerhub-mutator created
deployment.apps/dockerhub-mutator created
service/dockerhub-mutator created
$ kubectl apply -f https://raw.githubusercontent.com/angelbarrera92/dockerhub-mutator/master/hack/mutation.yaml
mutatingwebhookconfiguration.admissionregistration.k8s.io/dockerhub-mutator created
```
## Run it locally
### Requirements
Create a local [kind](https://github.com/kubernetes-sigs/kind) cluster then install [cert-manager](https://github.com/jetstack/cert-manager):
```bash
$ kind create cluster
Creating cluster "kind" ...
â Ensuring node image (kindest/node:v1.19.1) đŧ
â Preparing nodes đĻ
â Writing configuration đ
â Starting control-plane đšī¸
â Installing CNI đ
â Installing StorageClass đž
Set kubectl context to "kind-kind"
You can now use your cluster with:
kubectl cluster-info --context kind-kind
Have a nice day! đ
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
namespace/cert-manager created
serviceaccount/cert-manager-cainjector created
serviceaccount/cert-manager created
serviceaccount/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
```
### Build and deploy
Wait until all cert-manager containers are running, then after cloning this repository, run the following commands:
```bash
$ docker build -q --no-cache -t ghcr.io/angelbarrera92/dockerhub-mutator:latest .
sha256:b97575883f02cd3dcdf0a9334ff88850f7dbc9dc00064e54c6188b9c4bde4afe
$ kind load docker-image ghcr.io/angelbarrera92/dockerhub-mutator:latest
Image: "ghcr.io/angelbarrera92/dockerhub-mutator:latest" with ID "sha256:b97575883f02cd3dcdf0a9334ff88850f7dbc9dc00064e54c6188b9c4bde4afe" not yet present on node "kind-control-plane", loading...
$ kubectl apply -f hack/deploy.yaml
issuer.cert-manager.io/mutator-root created
certificate.cert-manager.io/mutator-root-ca created
issuer.cert-manager.io/mutator-root-ca created
certificate.cert-manager.io/dockerhub-mutator created
deployment.apps/dockerhub-mutator created
service/dockerhub-mutator created
$ kubectl apply -f hack/mutation.yaml
mutatingwebhookconfiguration.admissionregistration.k8s.io/dockerhub-mutator created
```
## Test it
Once everything is placed, create a deployment
```bash
$ kubectl create deployment example-mutation --image=nginx:latest
deployment.apps/example-mutation created
```
Inspect the deployment:
```bash
$ kubectl get deployment example-mutation -o jsonpath='{.metadata.labels.mutated}'
yes
$ kubectl get deployment example-mutation -o jsonpath='{.spec.template.spec.containers[0].image}'
mirror.gcr.io/library/nginx:latest
```
The image name has been changed. Now it is configured to use the `mirror.gcr.io` google container registry.
## Thanks
Thanks to [@javierprovecho](https://github.com/javierprovecho) to participate in the live coding session at twitch. We built it together!